SSH remote host identification has changed

You might recognise the situation when you try to login to a server via ssh and instead of the console you get the “REMOTE HOST IDENTIFICATION HAS CHANGED” warning.

Lets assume you login to 123.123.123.123 like this:

Advertisements

$ ssh username@123.123.123.123

Here is an example of what the warning you receive might look like:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Please contact your system administrator.
Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.
Offending key in /Users/username/.ssh/known_hosts:369
RSA host key for 123.123.123.123 has changed and you have requested strict checking.
Host key verification failed.

What does that mean?

It is “only” a warning but hinders you in logging in to the host. This means that the host identification (fingerprint) you accepted when you logged in for the first time does not match the fingerprint on this connection attempt. As the message states, that can be a man in the middle attack, but – as in my case – this also happens when you have re-installed your server. The IP/DNS name is the same, but the fingerprint has changed. If you know this is the reason, you will need to remove the old host-key/fingerprint and then on the next login attempt accept the new fingerprint.

Possibility one

On OS X, edit the file ‘/Users/username/.ssh/known_hosts’, go to the line the message told you and delete the line (make sure it is really the right line that you delete).

Possibility two

The easier way is to just run a command which will do the editing for you. It will create a backup of the old known_hosts file as /Users/username/.ssh/known_hosts.old. Of course if you edit it twice, it will override the first backup. To do this run the following:

ssh-keygen -R 123.123.123.123

Accept the new fingerprint

Try to login now and you will see the following output asking you to accept the unknown host’s fingerprint:

The authenticity of host '123.123.123.123 (123.123.123.123)' can't be established.
RSA key fingerprint is 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Are you sure you want to continue connecting (yes/no)?

After you have accepted the new fingerprint, it is stored permanently in the known_hosts file. Unless the fingerprint changes again, ssh will not prompt you about it again.